Advise: howto behave on host1...10000.$domain


#1

Hello,

I currently plan/build a system to extend our webhosting to use LE.
One design decision is fix: one certificate per FQDN.
That result in less then 10k certificates based on the number of customers we have.
they distibute to

the first two points are done. The system took 2 weeks to fetch all of the 5k certs.
But what will happen if we start requesting every two minutes a certificate for

  • customer_one.our_company_domain
  • sleep 120
  • customer_two.our_company_domain
  • sleep 120
  • customer_three.our_company_domain

will we hit any Limit?
I already read letsencrypt.org/docs/ but did not found an answer ( or simply overread, sorry )

Thanks for response/clarification
Andreas


#2

Hi @sca_le,

Yes, you will hit the Certificates Per Registered Domain rate limit, supposing that there are 10,000 customers each with a certificate underneath our_company_domain.

https://letsencrypt.org/docs/rate-limits/

Are you saying that you’ve already managed to get these thousands of certificates from Let’s Encrypt in your previous arrangement? That shouldn’t have been possible even over the course of two weeks, because the Certificates Per Registered Domain limit allows only 20 per week, not 5,000 per week.


#3

I think the “customerdomain” is a different second-level domain for each customer, so that would only be 2 per domain (www and bare). You’re right about the third one though, of course - that won’t work.


#4

@jmorahan is right: I’ve 2500 /different/ domains…


#5

Hello @schoen,

90days/7 = 12 weeks * 20 certs/week = not more the 240 different hostnames within one domain. Correct?

Do you say that it is impossible at all to request certificates if ~2k customers share the same domain
or are limit exeptions on your side possible and required to be setup?
( I provided more information on the “rate limiting form” some days ago )

Andreas


#6

I’m sorry, I’m still confused about what you’re asking for!

If you’re looking for individual certs (not overlapping) for customer1.ourcompany, customer2.ourcompany, … customer2000.ourcompany, there is no way to get those concurrently because of Certificates Per Registered Domain. However, filing the rate limiting form is an appropriate choice for a hosting provider in this case because the rate limit can be increased if Let’s Encrypt agrees that the use is appropriate.

If you’re looking for overlapping certs that include multiple hostnames within a single SAN cert, then you can get a much larger number of sites covered because you can cover 100 at a time and get 20 such certificates per week, covering a total of 2000 hostnames per week.


#7

Hello Seth,

overlapping certs would introduce a complexity I can’t handle. So I decided “one FQDN, one certificate” …
I’m bound to individual certs.

I filed the form ~last week and made sure I provided a working e-mail address. But I did not receive a copy of my request. If that would be the normal case, my request failed. If it’s intentional to not echo the request to the requestor, I suggest to extend the form. In any case it would be good to know the current form behaviour.

Andreas


#8

Hi @sca_le,

It may take about a month to see action on your rate limit exemption request and it will not necessarily be confirmed when you submit it. I’ll suggest that the documentation surrounding this be updated to indicate this.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.